Find reachable dependency vulnerabilities | Fluid Attacks Help

Find reachable dependency vulnerabilities

Fluid Attacks' static code scans detect third-party dependencies used in your software and verify whether it is actually using the dependencies' vulnerable functions. Ensuring that detected dependency vulnerabilities are actually reachable by threat actors is possible thanks to Fluid Attacks' Reachability feature.

Know which dependencies have identified issues

Fluid Attacks allows you to understand your software supply chain, identifying the dependencies in your software and indicating for which of them advisories have been issued.

If using the platform, this information is shown in the Supply chain section, along with details such as the dependency's location in your projects.

View used dependencies on the Fluid Attacks platform

This section shows the dependencies with associated advisories as "issues" and not necessarily "vulnerabilities." That is, you are only being informed that your software might be vulnerable. To find out whether the usage of those dependencies actually constitutes a vulnerability in your software, it is necessary to analyze your code verifying that it does use the dependencies' vulnerable functions. That is what Reachability accomplishes.

Know reachable dependency vulnerabilities

Leveraging the Reachability feature, Fluid Attacks' scans track down your use of the third-party dependencies' vulnerable functions. If it is confirmed that your software is at risk by using those dependencies, then you get the corresponding vulnerability reports.

If using the platform, every reachable vulnerability is reported in the Vulnerabilities section within the specific type of vulnerability it represents for your project.

To identify a reachable dependency vulnerability,
  1. select a type of vulnerability,
  2. Select a type with vulnerable dependency on the Fluid Attacks platform

  3. click on a location, and
  4. Select vulnerability using dependency on the Fluid Attacks platform

  5. identify whether a CVE ID is mentioned within the vulnerability description in the Details tab.
  6. See CVE in vulnerability description on the Fluid Attacks platform
Moreover, in the Evidence section of the type of vulnerability, you can see a screenshot showing your vulnerable code in context along with the mention of the CVE ID reported for the dependency.

View evidence of reachable vulnerability on the Fluid Attacks platform

Supported CVEs

The following table shows the Common Vulnerabilities and Exposures (CVE) entries for which reachability analysis is currently possible, indicating the corresponding programming language.

Note on total CVEs count
Note: The total CVEs count is the sum of unique CVEs.
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.